topic ASA Reachable but the equipment's connected to it are not in Network Security

ASA Reachable but the equipment's connected to it are not

rahaliix131005 — Tue, 12 Dec 2023 20:07:10 GMT

Hi Guys ,

I have a sort of a confusing issue so basically I'm trying to connect an ASA 5506-X(remote site ) to our DC via site to site VPN when connecting the device i notice that the VPN tunnel is up and from our mgmt vm's i can ping the remote asa fw how ever i cannot ping any of my equipment's that are connected it .

What's really confusing for me is even tho we work with basic settings (no NAT..) and every time deploying a new site we use the same config almost and it always works perfectly i started to think that maybe the asa is faulty since it's a used one but not sure.

What do u guys think ? I'm getting hard time troubleshooting this issue .

the full config is in the attachment

Re: ASA Reachable but the equipment's connected to it are not

MHM Cisco World — Tue, 12 Dec 2023 20:11:51 GMT

Do this command

clear crypto ipsec sa inactive

Then check again

MHM

Re: ASA Reachable but the equipment's connected to it are not

rahaliix131005 — Tue, 12 Dec 2023 20:26:39 GMT

on the remote FW right, I'll definetly try it

appreciated

Re: ASA Reachable but the equipment's connected to it are not

Rob Ingram — Tue, 12 Dec 2023 20:39:05 GMT

@rahaliix131005 if the tunnel is up, are the encap|decap counters increasing or not? Run "show crypto ipsec sa" on both sides and confirm, provide the output for review.

If the counters are increasing on one side but not the other, then that usually indicates a NAT or a routing issue.

Re: ASA Reachable but the equipment's connected to it are not

rahaliix131005 — Tue, 12 Dec 2023 20:46:06 GMT

I'm aware of the command u mentioned before but can you please explain the encap|decap counters ? , and for routing we just use static routes , nothing fancy . we always work with the same config same FW but this one is just not working properly pretty weird

Re: ASA Reachable but the equipment's connected to it are not

Rob Ingram — Tue, 12 Dec 2023 20:52:22 GMT

@rahaliix131005 for example: If the decaps counter is increasing then encrypted traffic is received, but if the encaps counter does not increase then the return traffic is not encrypted. This could either because traffic behind the ASA is not routing to the ASA (and vice versa) or more commonly there is no NAT exemption rule, so the return traffic is unintentially translated behind the firewall's outside interface. Another common issue is there is a local host based firewall on the client devices and traffic is dropped (hence no return traffic).

Re: ASA Reachable but the equipment's connected to it are not

Marius Gunnerud — Tue, 12 Dec 2023 22:00:25 GMT

You have only provided configuration for one side of the site to site VPN setup which makes it hard to see if there is anything missing or faulty in the configuration.

Assuming that all configuration on the DC side of the VPN is correct (No-NAT, crypto ACL, routing, etc.) then the most likely issue is routing / default gateway configuration on the endpoints or the network in between that you are trying to reach.

Another thing you could do is a packet tracer on the ASA5506 with a source of an inside / local IP and destination remote IP you are testing from to verify that the traffic truly is being sent into the tunnel. Run the packet-tracer twice and post the results here.